Hello. We have produced a new Internet Draft, describing how
ISAKMP (and IKE to a large extent, or even KINK) could be reused in
the context of protecting one non-IP protocol in mobile networks. We
would appreciate getting the group's opinion on this approach.
Background:
===========
The 3GPP (third generation mobile network standardization forum)
is working on security for their MAP protocol. MAP is a central
protocol in GSM networks, and continues to be used at least for a
while also in 3G networks; perhaps eventually however completely replaced
by protocols such as SIP and AAA. As MAP transports sensitive data
used e.g. in the authentication of GSM phones, operators are being
increasingly concerned that MAP messages are transported in
the clear. Now, a security mechanism has been designed to
encrypt and integrity protect MAP messages. MAP runs over
SS7, ad the security mechanism inserts a header between the
SS7 and MAP parts of packets.
The network arrangement is typically such that servers from
two operator networks (visiting and home) need to talk to
each other. Both IP and SS7 connectivity exists. There is a
large number of operators.
However, the fact that we can encrypt MAP messages is not
enough by itself. We also need to configure and create MAP
SAs in a scalable manner, and we need to have lifetimes for
the use of the SAs. For this we need key management.
Our involvement:
================
We'been working on slight modification of the IPSEC DOI
in order to use ISAKMP/IKE to negotiate the MAP security
associations. It turns out that IKE phase 1 can be used as-is
(alternatively KINK), and that phase 2 is modified only with
respect to the meaning of the SA data. For details, see the I-D
http://search.ietf.org/internet-drafts/draft-arkko-map-doi-00.txt
There are also other possible alternatives to implement the
same functionality. A completely new and MAP-specific key
management protocol over IP has also been discussed but we'd rather
reuse IKE since that is used also for other purposes, is quite
complete, can be deployed fast, and we could reuse implementations.
An alternative protocol could also be developed solely on top of SS7.
And then to the issues on which we'd like your opinion:
===========================================
1) What is your technical opinion of the approach?
2) If we decide to go for this approach within the mobile
networks, how should this work proceed in the IETF
world? An informational RFC? Will these be allowed
while some standards track IPsec/IKE modifications
are on hold? What is the process for getting a new Informational
RFC?
3) Should we discuss this in San Diego?
4) What about possible future assignments of numbers from the
spaces defined by a new DOI?
Jari Arkko